oauth2.0的四种授权模式和四种存储token方式
https://blog.csdn.net/weixin_39526238/article/details/111204785
四种授权模式
密码模式(password)
授权码模式(authorization_code)
简化模式(implicit)
客户端模式(client_credentials)
总结:四种模式有哪些区别
四种存储token模式
1.基于内存的方式存储token
2.基于JWT方式存储token
3.基于redis方式存储token
4.基于数据库存储token(mysql,oracle)
总结:四种存储token有哪些区别及其使用场景
1. 客户端模式(client_credentials)
1.1 客户端模式的特点:
- 无刷token,是最简单的一种方式,同时也是最不安全的一种方式
认证流程图
基于内存的方式实现客端模式:
package com.guyu.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
@Configuration
@EnableAuthorizationServer
public class AuthorzationClientConfig extends AuthorizationServerConfigurerAdapter {
/**
* Springboot2.x需要配置密码加密,否则报错:Encoded password does not look like BCrypt
*
* @return
*/
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("clientApp")// clientID : 客户端ID
.secret(passwordEncoder().encode("secretApp"))//secretID : 连接凭证
.authorizedGrantTypes("authorization_code","password","client_credentials","implicit","refresh_token")//简化模式
.scopes("all", "write")
.redirectUris("http://localhost:8001/public/hello");
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()")
.allowFormAuthenticationForClients();
}
}
1.2.使用postman测试客户端模式
localhost:9000/oauth/token
2.授权码模式(authorization_code)
2.1.客户端模式的特点:
1.有刷新token,是四种模式中最安全的一种
授权码代码
package com.heartsuit.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
/**
* oauth2.0基于内存授权码模式
*/
@Configuration
@EnableAuthorizationServer
public class AuthorizationCodeConfig extends AuthorizationServerConfigurerAdapter {
/**
* Springboot2.x需要配置密码加密,否则报错:Encoded password does not look like BCrypt
*
* @return
*/
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
// http://localhost:9000/oauth/authorize?client_id=client&response_type=code
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("clientApp")// clientID : 客户端ID
.secret(passwordEncoder().encode("secretApp"))//secretID : 连接凭证
.authorizedGrantTypes("authorization_code","refresh_token")//简化模式
.scopes("all", "write")
.redirectUris("http://localhost:8001/public/hello");//重定向到第三服务地址
}
/**
* [{"timestamp":"2021-01-08T05:56:40.950+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/oauth/check_token"}]
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()")
.allowFormAuthenticationForClients();
}
}
使用postman测试授权码模式
1.获取授权码
1.在浏览器访问如下链接
http://localhost:9000/oauth/authorize?client_id=clientApp&response_type=code
输入账号密码:admin/123456
登录后点击授权码,再点击Authrozation认证授权并登录
看到如下图,说明已经登录到第三方服务地址
2.获取access_token
使用postman获取access_token,根据授权码获取token
1.第一步配置Authrozation
第二步,配置请求参数
表示授权码失效了:
{
"error": "invalid_grant",
"error_description": "Invalid authorization code: HYOKNp"
}
3.获取刷新access_token
3密码模式
密码模式代码:
package com.heartsuit.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
/**
* oauth2.0基于内存密码模式
*/
@Configuration
@EnableAuthorizationServer
public class AuthorizationPasaWordConfig extends AuthorizationServerConfigurerAdapter {
/**
* Springboot2.x需要配置密码加密,否则报错:Encoded password does not look like BCrypt
*
* @return
*/
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//内存存储方式
private TokenStore tokenStore = new InMemoryTokenStore();
@Autowired
private AuthenticationManager authenticationManager;
// http://localhost:9000/oauth/authorize?client_id=clientApp&response_type=code
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("clientApp")// clientID : 客户端ID
.secret(passwordEncoder().encode("secretApp"))//secretID : 连接凭证
// .authorizedGrantTypes("authorization_code","refresh_token")//授权码模式
.authorizedGrantTypes("password","refresh_token")// 密码模式
.scopes("all", "write")
.redirectUris("http://localhost:8001/public/hello");//重定向到第三服务地址
}
/**
* [{"timestamp":"2021-01-08T05:56:40.950+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/oauth/check_token"}]
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()")
.allowFormAuthenticationForClients();
}
/**
* Spring security5中新增加了加密方式,并把原有的spring security的密码存储格式改了
*
* @param endpoints
* @throws Exception
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.authenticationManager(authenticationManager);
}
}
SecurityConfig配置类
package com.heartsuit.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/**
* @Author Heartsuit
* @Date 2021-01-08
*/
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
BCryptPasswordEncoder passwordEncoder;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password(passwordEncoder.encode("123456")).roles("ADMIN")
.and()
.withUser("user").password(passwordEncoder.encode("123456")).roles("USER");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
密码模式访问错误解决办法:
https://www.freesion.com/article/5996123135/
错误提示:
使用postman测试密码模式
1.获取access_token
params方式获取token
http://localhost:9000/oauth/token?client_id=clientApp&client_secret=secretApp&password=123456&grant_type=password&username=admin
Body方式获取token
2.获取刷新token(刷新令牌)
4.简化模式
简化模式代码
package com.heartsuit.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
/**
* oauth2.0基于内存简化模式
*/
@Configuration
@EnableAuthorizationServer
public class AuthorizationImplConfig extends AuthorizationServerConfigurerAdapter {
/**
* Springboot2.x需要配置密码加密,否则报错:Encoded password does not look like BCrypt
*
* @return
*/
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
// http://localhost:9000/oauth/authorize?client_id=clientApp&response_type=token&scope=all&redirect_uri=http://www.baidu.com
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("clientApp")// clientID : 客户端ID
.secret(passwordEncoder().encode("secretApp"))//secretID : 连接凭证
.authorizedGrantTypes("implicit","refresh_token")//授权码模式
.scopes("all", "write")
.redirectUris("http://www.baidu.com");
}
/**
* [{"timestamp":"2021-01-08T05:56:40.950+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/oauth/check_token"}]
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()")
.allowFormAuthenticationForClients();
}
}
1.获取access_token
复制链接在浏览器访问,
http://localhost:9000/oauth/authorize?client_id=clientApp&response_type=token&scope=all&redirect_uri=http://www.baidu.com
第一次访问输入用户名密码
admin/123456
第二同意认证授权
第三跳转百度页面,附带assess_token
1948
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
